diff --git a/bibtexbrowser.php b/bibtexbrowser.php index edf2475..2dddb8c 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -238,15 +238,16 @@ function _zetDB($bibtex_filenames) { // ---------------------------- HANDLING unexistent files foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) { - $saveBib = htmlEntities($bib, ENT_QUOTES); + // escape $bib to prevent XSS + $escapedBib = htmlEntities($bib, ENT_QUOTES); // get file extension to only allow .bib files - $ext = pathinfo($saveBib, PATHINFO_EXTENSION); + $ext = pathinfo($escapedBib, PATHINFO_EXTENSION); // this is a security protection - if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) { + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) { // to automate dectection of faulty links with tools such as webcheck header('HTTP/1.1 404 Not found'); - die('the bib file '.$saveBib.' does not exist !'); + die('the bib file '.$escapedBib.' does not exist !'); } } // end for each